Installing a New Cumulus Linux Image
The default password for the cumulus user account is cumulus
. The first time you log into Cumulus Linux, you must change this default password. Be sure to update any automation scripts before installing a new image. Cumulus Linux provides command line options to change the default password automatically during the installation process. Refer to ONIE Installation Options.
You can install a new Cumulus Linux image using ONIE, an open source project (equivalent to PXE on servers) that enables the installation of network operating systems (NOS) on bare metal switches.
Before you install Cumulus Linux, the switch can be in two different states:
- The switch does not contain an image (the switch is only running ONIE).
- Cumulus Linux is already on the switch but you want to use ONIE to reinstall Cumulus Linux or upgrade to a newer version.
The sections below describe some of the different ways you can install the Cumulus Linux image. Steps show how to install directly from ONIE (if no image is on the switch) and from Cumulus Linux (if the image is already on the switch). For additional methods to find and install the Cumulus Linux image, see the ONIE Design Specification.
You can download a Cumulus Linux image from the NVIDIA Enterprise support portal.
Installing the Cumulus Linux image is destructive; configuration files on the switch are not saved; copy them to a different server before installing.
In the following procedures:
- You can name your Cumulus Linux image using any of the ONIE naming schemes mentioned here.
- Run the
sudo onie-install -h
command to show the ONIE installer options.
Install Using a DHCP/Web Server With DHCP Options
To install Cumulus Linux using a DHCP or web server with DHCP options, set up a DHCP/web server on your laptop and connect the eth0 management port of the switch to your laptop. After you connect the cable, the installation proceeds as follows:
The switch boots up and requests an IP address (DHCP request).
The DHCP server acknowledges and responds with DHCP option 114 and the location of the installation image.
ONIE downloads the Cumulus Linux image, installs, and reboots.
You are now running Cumulus Linux.
The most common way is to send DHCP option 114 with the entire URL to the web server (this can be the same system). However, there are other ways you can use DHCP even if you do not have full control over DHCP. See the ONIE user guide for information on partial installer URLs and advanced DHCP options; both articles list more supported DHCP options.
Here is an example DHCP configuration with an ISC DHCP server:
subnet 172.0.24.0 netmask 255.255.255.0 {
range 172.0.24.20 172.0.24.200;
option default-url = "http://172.0.24.14/onie-installer-x86_64";
}
Here is an example DHCP configuration with dnsmasq (static address assignment):
dhcp-host=sw4,192.168.100.14,6c:64:1a:00:03:ba,set:sw4
dhcp-option=tag:sw4,114,"http://roz.rtplab.test/onie-installer-x86_64"
If you do not have a web server, you can use this free Apache example.
Install Using a DHCP/Web Server without DHCP Options
Follow the steps below if you can log into the switch on a serial console (ONIE), or log in on the console or with ssh (Install from Cumulus Linux).
Place the Cumulus Linux image in a directory on the web server.
Run the
onie-nos-install
command:ONIE:/ #onie-nos-install http://10.0.1.251/path/to/cumulus-install-x86_64.bin
Place the Cumulus Linux image in a directory on the web server.
From the Cumulus Linux command prompt, run the
onie-install
command, then reboot the switch.cumulus@switch:~$ sudo onie-install -a -i http://10.0.1.251/path/to/cumulus-install-x86_64.bin
Install Using a Web Server With no DHCP
Follow the steps below if you can log into the switch on a serial console (ONIE), or you can log in on the console or with ssh (Install from Cumulus Linux) but no DHCP server is available.
You need a console connection to access the switch; you cannot perform this procedure remotely.
ONIE is in discovery mode. You must disable discovery mode with the following command:
onie# onie-discovery-stop
On older ONIE versions, if the
onie-discovery-stop
command is not supported, run:onie# /etc/init.d/discover.sh stop
Assign a static address to eth0 with the
ip addr add
command:ONIE:/ #ip addr add 10.0.1.252/24 dev eth0
Place the Cumulus Linux image in a directory on your web server.
Run the installer manually (because there are no DHCP options):
ONIE:/ #onie-nos-install http://10.0.1.251/path/to/cumulus-install-x86_64.bin
Place the Cumulus Linux image in a directory on your web server.
From the Cumulus Linux command prompt, run the
onie-install
command, then reboot the switch.cumulus@switch:~$ sudo onie-install -a -i http://10.0.1.251/path/to/cumulus-install-x86_64.bin
Install Using FTP Without a Web Server
Follow the steps below if your laptop is on the same network as the switch eth0 interface but no DHCP server is available.
Set up DHCP or static addressing for eth0. The following example assigns a static address to eth0:
ONIE:/ #ip addr add 10.0.1.252/24 dev eth0
If you are using static addressing, disable ONIE discovery mode:
onie# onie-discovery-stop
On older ONIE versions, if the
onie-discovery-stop
command is not supported, run:onie# /etc/init.d/discover.sh stop
Place the Cumulus Linux image into a TFTP or FTP directory.
If you are not using DHCP options, run one of the following commands (tftp for TFTP or ftp for FTP):
ONIE# onie-nos-install ftp://local-ftp-server/cumulus-install-x86_64.bin ONIE# onie-nos-install tftp://local-tftp-server/cumulus-install-[PLATFORM].bin
Place the Cumulus Linux image into an FTP directory (TFTP is not supported in Cumulus Linux).
From the Cumulus Linux command prompt, run the following command, then reboot the switch.
cumulus@switch:~$ sudo onie-install -a -i ftp://local-ftp-server/cumulus-install-x86_64.bin
Install Using a Local File
Follow the steps below to install the Cumulus Linux image referencing a local file.
Set up DHCP or static addressing for eth0. The following example assigns a static address to eth0:
ONIE:/ #ip addr add 10.0.1.252/24 dev eth0
If you are using static addressing, disable ONIE discovery mode.
onie# onie-discovery-stop
On older ONIE versions, if the
onie-discovery-stop
command is not supported, run:onie# /etc/init.d/discover.sh stop
Use scp to copy the Cumulus Linux image to the switch.
Run the installer manually from ONIE:
ONIE:/ #onie-nos-install /path/to/local/file/cumulus-install-x86_64.bin
Copy the Cumulus Linux image to the switch.
From the Cumulus Linux command prompt, run the
onie-install
command, then reboot the switch.cumulus@switch:~$ sudo onie-install -a -i /path/to/local/file/cumulus-install-x86_64.bin
Install Using a USB Drive
Follow the steps below to install the Cumulus Linux image using a USB drive.
Installing Cumulus Linux using a USB drive is fine for a single switch here and there but is not scalable. DHCP can scale to hundreds of switch installs with zero manual input unlike USB installs.
Prepare for USB Installation
From the NVIDIA Enterprise support portal, download the appropriate Cumulus Linux image for your platform.
From a computer, prepare your USB drive by formatting it using one of the supported formats: FAT32, vFAT or EXT2.
Copy the Cumulus Linux image to the USB drive, then rename the image file to
onie-installer-x86_64
.You can also use any of the ONIE naming schemes mentioned here.
When using a MAC or Windows computer to rename the installation file, the file extension can still be present. Make sure you remove the file extension so that ONIE can detect the file.
Insert the USB drive into the switch, then prepare the switch for installation:
- If the switch is offline, connect to the console and power on the switch.
- If the switch is already online in ONIE, use the
reboot
command.
SSH sessions to the switch get dropped after this step. To complete the remaining instructions, connect to the console of the switch. Cumulus Linux switches display their boot process to the console; you need to monitor the console specifically to complete the next step.
Monitor the console and select the ONIE option from the first GRUB screen shown below.
Cumulus Linux on x86 uses GRUB chainloading to present a second GRUB menu specific to the ONIE partition. No action is necessary in this menu to select the default option ONIE: Install OS.
The switch recognizes the USB drive and mounts it automatically. Cumulus Linux installation begins.
After installation completes, the switch automatically reboots into the newly installed instance of Cumulus Linux.
ONIE Installation Options
You can run several installer command line options from ONIE to perform basic switch configuration automatically after installation completes and Cumulus Linux boots for the first time. These options enable you to:
- Set a unique password for the cumulus user
- Provide an initial network configuration
- Execute a ZTP script to perform necessary configuration
The onie-nos-install
command does not allow you to specify command line parameters. You must access the switch from the console and transfer a disk image to the switch. You must then make the disk image executable and install the image directly from the ONIE command line with the options you want to use.
The following example commands transfer a disk image to the switch, make the image executable, and install the image with the --password
option to change the default cumulus user password:
ONIE:/ # wget http://myserver.datacenter.com/cumulus-linux-4.4.0-mlx-amd64.bin
ONIE:/ # chmod 755 cumulus-linux-4.4.0-mlx-amd64.bin
ONIE:/ # ./cumulus-linux-4.4.0-mlx-amd64.bin --password 'MyP4$$word'
You can run more than one option in the same command.
Set the cumulus User Password
The default cumulus user account password is cumulus
. When you log into Cumulus Linux for the first time, you must provide a new password for the cumulus account, then log back into the system.
To automate this process, you can specify a new password from the command line of the installer with the --password '<clear text-password>'
option. For example, to change the default cumulus user password to MyP4$$word
:
ONIE:/ # ./cumulus-linux-4.4.0-mlx-amd64.bin --password 'MyP4$$word'
To provide a hashed password instead of a clear text password, use the --hashed-password '<hash>'
option. An encrypted hash maintains a secure management network.
Generate a sha-512 password hash with the following
openssl
command. The example command generates a sha-512 password hash for the passwordMyP4$$word
.user@host:~$ openssl passwd -6 'MyP4$$word' 6$LXOrvmOkqidBGqu7$dy0dpYYllekNKOY/9LLrobWA4iGwL4zHsgG97qFQWAMZ3ZzMeyz11JcqtgwKDEgYR6RtjfDtdPCeuj8eNzLnS.
Specify the new password from the command line of the installer with the
--hashed-password '<hash>'
command:ONIE:/ # ./cumulus-linux-4.4.0-mlx-amd64.bin --hashed-password '6$LXOrvmOkqidBGqu7$dy0dpYYllekNKOY/9LLrobWA4iGwL4zHsgG97qFQWAMZ3ZzMeyz11JcqtgwKDEgYR6RtjfDtdPCeuj8eNzLnS.'
If you specify both the --password
and --hashed-password
options, the --hashed-password
option takes precedence and the switch ignores the --password
option.
Provide Initial Network Configuration
To provide initial network configuration automatically when Cumulus Linux boots for the first time after installation, use the --interfaces-file <filename>
option. For example, to copy the contents of a file called network.intf
into the /etc/network/interfaces
file and run the ifreload -a
command:
ONIE:/ # ./cumulus-linux-4.4.0-mlx-amd64.bin --interfaces-file network.intf
Execute a ZTP Script
To run a ZTP script that contains commands to execute after Cumulus Linux boots for the first time after installation, use the --ztp <filename>
option. For example, to run a ZTP script called initial-conf.ztp
:
ONIE:/ # ./cumulus-linux-4.4.0-mlx-amd64.bin --ztp initial-conf.ztp
The ZTP script must contain the CUMULUS-AUTOPROVISIONING
string near the beginning of the file and must reside on the ONIE filesystem. Refer to Zero Touch Provisioning - ZTP.
If you use the --ztp
option together with any of the other command line options, the ZTP script takes precedence and the switch ignores other command line options.
Change the Default BIOS Password
To provide a layer of security and to prevent unauthorized access to the switch, NVIDIA recommends you change the default BIOS password. The default BIOS password is admin
.
To change the default BIOS password:
During system boot, press
Ctrl+B
through the serial console while the BIOS version prints.From the Security menu, select Administrator Password.
- Follow the prompts.
Edit the Cumulus Linux Image (Advanced)
The Cumulus Linux disk image file contains a BASH script that includes a set of variables. You can set these variables to be able to install a fully configured system with a single image file.
Secure Boot
Secure Boot validates each binary image loaded during system boot with key signatures that correspond to a stored trusted key in firmware.
Secure Boot is only on the NVIDIA SN3700C-S switch.
Secure Boot settings are in the BIOS Security menu. To access BIOS, press Ctrl+B
through the serial console during system boot while the BIOS version prints:
To access the BIOS menu, use admin
which is the default BIOS password:
NVIDIA recommends changing the default BIOS password; navigate to Security and select Administrator Password.
To validate or change the Secure Boot mode, navigate to Security and select Secure Boot:
In the Secure Boot menu, you can enable and disable Secure Boot mode. To install an unsigned version of Cumulus Linux or access ONIE without a prompt for a username and password, set Secure Boot to disabled
:
To access ONIE when Secure Boot is enabled
, authentication is necessary. The default username and password are both root
:
ONIE: Rescue Mode ...
Platform : x86_64-mlnx_x86-r0
Version : 2021.02-5.3.0006-rc3-115200
Build Date: 2021-05-20T14:27+03:00
Info: Mounting kernel filesystems... done.
Info: Mounting ONIE-BOOT on /mnt/onie-boot ...
[ 17.011057] ext4 filesystem being mounted at /mnt/onie-boot supports timestamps until 2038 (0x7fffffff)
Info: Mounting EFI System on /boot/efi ...
Info: BIOS mode: UEFI
Info: Using eth0 MAC address: b8:ce:f6:3c:62:06
Info: eth0: Checking link... up.
Info: Trying DHCPv4 on interface: eth0
ONIE: Using DHCPv4 addr: eth0: 10.20.84.226 / 255.255.255.0
Starting: klogd... done.
Starting: dropbear ssh daemon... done.
Starting: telnetd... done.
discover: Rescue mode detected. Installer disabled.
Please press Enter to activate this console. To check the install status inspect /var/log/onie.log.
Try this: tail -f /var/log/onie.log
** Rescue Mode Enabled **
login: root
Password: root
ONIE:~ #
To validate the Secure Boot status of a system from Cumulus Linux, run the mokutil --sb-state
command.
cumulus@leaf01:mgmt:~$ mokutil --sb-state
SecureBoot enabled